microsoft munich
Recent hacks and outages affecting a wide range of software companies have amplified calls for stricter liability standards. Image: qso4you.com via Wikimedia Commons (CC-BY-SA-2.0)

The struggle for software liability: Inside a ‘very, very, very hard problem’

Six years after Congress tasked a group of cybersecurity experts with reimagining America’s approach to digital security, virtually all of that group’s proposals have been implemented. But there’s one glaring exception that has especially bedeviled policymakers and advocates: a proposal to make software companies legally liable for major failures caused by flawed code.

Software liability was a landmark recommendation of the Cyberspace Solarium Commission, a bipartisan team of lawmakers and outside experts that dramatically elevated the government’s attention to cyber policy through an influential report that has seen roughly 80% of its 82 recommendations adopted. Recent hacks and outages — including at leading vendors like Microsoft and CrowdStrike — have demonstrated the urgent need to hold software companies accountable, according to advocates for software liability standards.

But despite the Solarium Commission’s high-profile backing and the avowed interest of the Biden administration, this long-discussed idea hasn’t borne fruit. Interviews with legal experts, technologists and tech-industry representatives reveal why: Software liability is extremely difficult to design, with multiple competing approaches, and the industry warns that it will wreck innovation and even undermine security.

“The Solarium Commission and Congress knew that this was going to be a multi-year effort to get this done,” said Jim Dempsey, senior policy adviser at Stanford University’s Program on Geopolitics, Technology and Governance. “This is a very, very, very hard problem.”

‘Golden-child industry’

A recent spate of massive cyberattacks and global disruptions — including the SolarWinds supply-chain attack, the MOVEit ransomware campaign, the Ivanti hacks, the CrowdStrike outage and Microsoft’s parade of breaches — has shined a spotlight on the world’s vulnerability to widely distributed but sometimes poorly written code.

“There is a widespread recognition that something's got to change,” Dempsey said. “We're way too heavily dependent on software that has way too many vulnerabilities.”

The software industry’s repeated failures have exasperated experts who see little urgency to address the roots of the problem. But bringing companies to heel will be extremely difficult.

“We have literally protected software from almost all forms of liability, comprehensively, since the inception of the industry decades ago,” said Chinmayi Sharma, an associate professor at Fordham School of Law who specializes in cybersecurity and platform liability. “It’s just a golden-child industry.”

Adam Meyers of CrowdStrike speaks at a House Homeland Security subcommittee hearing on September 24, 2024. Image: House Homeland Security Committee / YouTube

Adam Meyers of CrowdStrike speaks at a House Homeland Security subcommittee hearing on September 24, 2024 following global outages tied to a botched software update. Image: House Homeland Security Committee / YouTube

Virtually all software licenses contain clauses immunizing vendors from liability. Policymakers originally accepted this practice as the cost of helping a nascent industry flourish. But now that the industry is mature and its products power all kinds of critical services, it will be an uphill battle to untangle what Dempsey called the “intersecting legal doctrines that have insulated software developers from the consequences of the flaws in their products.”

The Biden administration’s National Cybersecurity Strategy says software vendors should be “held liable when they fail to live up to the duty of care they owe” to their customers, and the White House’s Office of the National Cyber Director (ONCD) has been exploring options for a liability regime. But this work has progressed slowly as officials wade into a thicket of legal and technical challenges.

Clash of law and technology

Since the 1980s, legal scholars have discussed how liability should apply to flawed software. The fact that there still isn’t a consensus about the right approach underscores how complicated the issue is.

One of the biggest hurdles is establishing a “standard of care,” a minimum security threshold that companies could meet to avoid lawsuits. There’s disagreement about “how to define a reasonably secure software product,” Dempsey said, and technology evolves so quickly that it might not be wise to codify one specific standard.

Various solutions have been proposed, including letting juries decide if software is safe enough — like they do with other products — and letting companies qualify for “safe harbor” from lawsuits through existing programs like a government attestation process.

The Solarium Commission proposed safe harbor for companies that patch known vulnerabilities. But that would only address part of the problem.

“There has to be some liability for … vulnerabilities that are not yet known but should have been avoided [through] reasonable coding practices,” Dempsey said, noting that car companies are liable for such failures in their vehicles.

One option would be to give companies a deadline for adopting best practices that would eliminate entire categories of vulnerabilities and establish liability for any company not using those practices after the deadline.

There are many other issues, including burdens for parties in civil suits (should plaintiffs be required to get class-action certification?), the role of insurance companies, the challenges of open-source software and what harms should be legally actionable. Another question is whether liability should be based on regulatory standards created and enforced by an agency like the Federal Trade Commission or on a body of case law generated by private lawsuits. And before software could even be subject to product-liability lawsuits, Congress would likely need to classify it as a product to override the industry’s treatment of it as a service.

Influential opponents

Software companies and their allies strongly oppose far-reaching liability proposals, calling them not only misguided but counterproductive.

One of the industry’s chief arguments is that liability would distract companies from improving security and overburden them with compliance costs. “The more companies are spending their time on thinking about liability, the less they might be spending their time on higher-value activities,” said Henry Young, senior director of policy at the software trade group BSA.

Liability opponents say insecure software isn’t the biggest cybersecurity problem, pointing to widespread and devastating phishing attacks. They argue that even if policymakers want to focus on software security, there are better ways to prod vendors forward, such as encouraging corporate-board oversight. And they warn that focusing on liability will distract the government from pursuing better policies with its limited resources.

Critics also contend that it’s unfair to punish companies for digital flaws that are deliberately exploited by malicious actors, a scenario that’s rare in most industries with liability, such as food and automobiles.

Industry leaders say liability is unnecessary because there’s already a working alternative: the marketplace, where businesses are accountable to their customers and invest in security to avoid financial and reputational punishment. As for contracts disclaiming liability, the industry says customers can negotiate security expectations with their vendors.

“We're open to conversations about any way to improve software security,” Young said. “Our customers care about it, and we want to deliver for them.”

Many security experts dismissed these arguments.

Sharma scoffed at the idea that liability would ruin the industry. “We've regulated cars,” she said. “We haven't seen cars just be litigated out of existence.”

As for the claim that the market already punishes negligent software makers? “There's a couple of VPN providers who are prima-facie evidence that that's not true,” said Trey Herr, senior director of the Atlantic Council’s Cyber Statecraft Initiative.

“Just telling organizations that not fixing security bugs will impact their business is not enough of an incentive,” a group of tech experts warned the Cybersecurity and Infrastructure Security Agency in a report approved this month.

Experts also rejected the idea that most customers could negotiate liability into their contracts. Few companies have leverage in negotiations with software giants, and few customers know enough about software security to make any demands of their vendors.

The Biden administration, recognizing these market failures, wants to act.

‘We’re still learning as we go’

The White House’s software liability work is still in the early stages.

In April, ONCD held a symposium with legal experts to solicit their ideas. Sharma, who attended the meeting, called it a good first step but said there was “a lot of very, very important stuff that we didn’t really get to in any meaningful way.”

A few weeks later, BSA hosted ONCD officials and member companies to share the industry’s perspective and hear the government’s thoughts.

2021-03-SolarWinds.jpg

Software made by Austin-based SolarWinds was the focus of a major cyberattack in 2020 that impacted thousands of organizations.

White House staffers have been meeting with developers, security experts, lawyers and policy managers to understand the incentives driving companies’ decision-making and how they’d handle liability, according to Nick Leiserson, ONCD’s assistant director for cyber policy and programs. “We want to hear from developers in particular about, how do they think this would affect them?”

Legal experts have urged the White House to pursue tort-based liability, Leiserson said, but officials are considering “a more regulatory approach” — at least for establishing a standard of care, the details of which they’re still deliberating.

“All options are on the table at the moment,” Leiserson said.

ONCD’s listening process is expected to wrap up by the end of March 2025, but Leiserson said he couldn’t predict next steps “because we're still learning as we go.”

Some experts are concerned that the final product will heavily favor the tech industry. Sharma said the administration’s assiduous engagement with software companies left her “concerned about regulatory capture.”

Senior administration officials haven’t lived up to their lofty rhetoric about shifting the burden of cybersecurity from customers to suppliers, Herr said. “There is an attitude in this White House of a willingness to defer to industry in operational questions in a lot of cases.”

“Liability is hard,” he added, “but pushing industries to take action when there's a lack of political will to do so is that much harder.”

Tipping points

Discussions about software liability tend to end with skepticism about meaningful policymaking in the near future.

In part, that’s because even major incidents like the CrowdStrike outage rarely have lasting effects on companies’ practices or customers’ choices.

“Nothing's going to happen in a few years,” Dempsey said.

Experts identified two potential tipping points. Major critical infrastructure disruptions stemming from faulty software could prompt hospitals, energy companies and other service providers to demand liability changes. Or the proposal of strict rules in the European Union could lead the industry — already scarred by the EU’s General Data Protection Regulation, or GDPR — to encourage the U.S. to preemptively enact less onerous standards.

Herr said the government might have to start discussing the software crisis the way it talks about the opioid epidemic, which received increased resources as policymakers’ rhetoric ramped up.

Flawed software isn’t killing people yet — but that might only be a matter of time.

“I don't think anybody would look at where we're at and say we're in a good place,” Herr said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Eric Geller

Eric Geller

is a freelance cybersecurity journalist covering all things digital security. He previously reported on cybersecurity for The Daily Dot, Politico, and The Messenger.